rckollar
asked on
Windows DNS resolution
Greetings all,
I have a web domain with hundreds of A records in it. There are about 10 sites that computers within my AD domain need to access via the site's internal DMZ IP's instead the public IP's. I know I can do this by creating a new DNS zone in AD and adding the A records for those particular sites to point to the DMZ addresses. I tried it and it works, but it breaks the other 290 sites that still need to resolve to the public IP's as there is no records for them in the internal DNS zone. Is there a way that I can configure the new zone to only resolve the 10 A records in question and forward all of the other queries for that domain to the public DNS? I'd really like to not have to maintain all 300 A records in 2 different places if I don't have to.
I have a web domain with hundreds of A records in it. There are about 10 sites that computers within my AD domain need to access via the site's internal DMZ IP's instead the public IP's. I know I can do this by creating a new DNS zone in AD and adding the A records for those particular sites to point to the DMZ addresses. I tried it and it works, but it breaks the other 290 sites that still need to resolve to the public IP's as there is no records for them in the internal DNS zone. Is there a way that I can configure the new zone to only resolve the 10 A records in question and forward all of the other queries for that domain to the public DNS? I'd really like to not have to maintain all 300 A records in 2 different places if I don't have to.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I've heard the term split-DNS (which I prefer), split-brain DNS, and split-horizon DNS, but never shadow DNS.
Split DNS is just the result of having different DNS information for the same domain in different locations (typically public vs. internal) - there's no question of being supported as it's a perfectly valid way to provide DNS information.
Many firewalls will not allow traffic that comes in on one interface to contact another interface. Yours may, or may not. I'm not convinced that one way or the other is "cleaner" - so I'll leave that judgement up to you.
You'd need a pretty sophisticated DNS package from your public DNS provider to be able to set up rules which would return internal IPs to clients on your network and public IPs to other clients. To be honest, I've never even considered it before. Let's say your public DNS was served by MS DNS servers - the subnet prioritization feature on MS's DNS servers would not be enough to handle all that (it could work for internal clients, depending on your network structure, but I'm certain that public/internet clients would get internal IPs at least some of the time).
Split DNS is just the result of having different DNS information for the same domain in different locations (typically public vs. internal) - there's no question of being supported as it's a perfectly valid way to provide DNS information.
Many firewalls will not allow traffic that comes in on one interface to contact another interface. Yours may, or may not. I'm not convinced that one way or the other is "cleaner" - so I'll leave that judgement up to you.
You'd need a pretty sophisticated DNS package from your public DNS provider to be able to set up rules which would return internal IPs to clients on your network and public IPs to other clients. To be honest, I've never even considered it before. Let's say your public DNS was served by MS DNS servers - the subnet prioritization feature on MS's DNS servers would not be enough to handle all that (it could work for internal clients, depending on your network structure, but I'm certain that public/internet clients would get internal IPs at least some of the time).
I've heard the term split-DNS (which I prefer), split-brain DNS, and split-horizon DNS, but never shadow DNS.
they are 2 different things : a shadow zone possesses own records and will use records from a separate server or zone for other records, so you basically maintain a single zone and just override a few entries. it is possible that ms's dns can achieve this through some kind of dns delegation i'm not aware of.
note that a small dns forwarder for the local network would do the trick easily. use unbound or dnsmasq for such tasks.
You'd need a pretty sophisticated DNS package from your public DNS provider to be able to set up rules which would return internal IPs to clients on your network and public IPs to other clients
we're talking about a private server here. this feature is native to many/most dns implementations. additionally they feature either rulesets or builtin protections so handing lan addresses to wan clients does not happen. i'm unsure about ms's though. dns prioritisation is not enough to make this work properly
... which is why i believe allowing the wan address to be queriable from the lan might be easier and would produce a cleaner result in the end.
Interesting. I'm very familiar with the capabilities of MS DNS servers, and from what you've described this is not possible with them (at least up to and including Server 2012 R2 - I think I've heard mention of something similar in Server 2016 but I've yet to investigate).
Whether the firewall solution is possible depends entirely on the firewall.
Whether the firewall solution is possible depends entirely on the firewall.
Solution provided in #42059993 is common to resolve the issue.
#42065149 is an alternative.
#42065149 is an alternative.
What you are looking to do is command and called Split-Brain DNS